I also recommend manually reading/checking the the BIOS EEPROM and re-installing the OS from scratch at least every 6 months. This should mostly eliminate most of the advanced threats.
You can setup an ansible script to re-install everything so it can automated.
How does re-installing the OS from scratch every 6 months "eliminate most of the advanced threats"? The malware has up to 6 months to do its work. OS re-install may delete the malware, but the next visit to bad link may re-install the malware as well.
It is just a precaution measure, some of the malware like DDOS Bots might persist more than 6 months.
Honestly, an immutable OS would be more ideal but it isn’t very realistic. If you are adventurous, it would also be possible to setup a system where host image gets rebuild every night and persistent data gets pulled from a git repo.
I also recommend manually reading/checking the the BIOS EEPROM and re-installing the OS from scratch at least every 6 months. This should mostly eliminate most of the advanced threats.
You can setup an ansible script to re-install everything so it can automated.